Security Risk/User Data Leak

[doronbl]

Hi team,

I'm working with GNS3 REST API. Today I've found that my sensitive data might be sent to 3rd party without my agreement of it, and even without noticing me about it.

I run REST API to import project. The operation failed in GNS3 server. In the GNS3 server logs I've noticed the following: 2019-04-04 15:45:45 DEBUG base.py:726 Sending message of length 5398 to https://sentry.io/api/38482/store/ 2019-04-04 15:45:46 INFO crash_report.py:136 Crash report sent with event ID: f2eb4b851831403882d6f9c5fcaa642d

Well, in these days you can't do that, sending user information to others.

This needs to be fixed immediately.

Full log:

2019-04-04 15:45:45 ERROR route.py:234 Uncaught exception detected: <class 'aiohttp.web_protocol.RequestPayloadError'> Traceback (most recent call last): File "/usr/share/gns3/gns3-server/lib/python3.5/site-packages/gns3server/web/route.py", line 181, in control_schema yield from func(request, response) File "/usr/share/gns3/gns3-server/lib/python3.5/site-packages/gns3server/handlers/api/controller/project_handler.py", line 351, in import_project chunk = yield from request.content.read(1024) File "/usr/share/gns3/gns3-server/lib/python3.5/site-packages/aiohttp/streams.py", line 607, in read return (yield from super().read(n)) File "/usr/share/gns3/gns3-server/lib/python3.5/site-packages/aiohttp/streams.py", line 299, in read raise self._exception aiohttp.web_protocol.RequestPayloadError: 400, message='Can not decode content-encoding: gzip' 2019-04-04 15:45:45 DEBUG base.py:726 Sending message of length 5398 to https://sentry.io/api/38482/store/ 2019-04-04 15:45:46 INFO crash_report.py:136 Crash report sent with event ID: f2eb4b851831403882d6f9c5fcaa642d 2019-04-04 15:45:46 INFO response.py:56 POST /v2/projects/8c76f840-fb1f-401f-b348-22b432caeef2/import?name=isis 2019-04-04 15:45:46 DEBUG response.py:57 {'Accept': '/', 'User-Agent': 'python-requests/2.21.0', 'Host': '10.8.120.141:3080', 'Content-Length': '56044', 'Connection': 'keep-alive', 'Accept-Encoding': 'gzip, deflate', 'Content-type': 'application/octet-stream', 'Content-Encoding': 'gzip'} 2019-04-04 15:45:46 DEBUG response.py:59 {'name': 'isis'} 2019-04-04 15:45:46 INFO response.py:60 Response: 500 Internal Server Error 2019-04-04 15:45:46 DEBUG response.py:61 {'X-Route': '/v2/projects/{project_id}/import', 'Server': 'Python/3.5 GNS3/2.1.15', 'Connection': 'close', 'Content-Type': 'application/json'} 2019-04-04 15:45:46 DEBUG response.py:63 {'message': 'Traceback (most recent call last):\n File "/usr/share/gns3/gns3-server/lib/python3.5/site-packages/gns3server/web/route.py", line 181, in control_schema\n yield from func(request, response)\n File "/usr/share/gns3/gns3-server/lib/python3.5/site-packages/gns3server/handlers/api/controller/project_handler.py", line 351, in import_project\n chunk = yield from request.content.read(1024)\n File "/usr/share/gns3/gns3-server/lib/python3.5/site-packages/aiohttp/streams.py", line 607, in read\n return (yield from super().read(n))\n File "/usr/share/gns3/gns3-server/lib/python3.5/site-packages/aiohttp/streams.py", line 299, in read\n raise self._exception\naiohttp.web_protocol.RequestPayloadError: 400, message=\'Can not decode content-encoding: gzip\'\n', 'status': 500} 2019-04-04 15:45:46 INFO helpers.py:534 10.8.120.191 [04/Apr/2019:12:45:46 +0000] "POST /v2/projects/8c76f840-fb1f-401f-b348-22b432caeef2/import?name=isis HTTP/1.1" 500 1037 "-" "python-requests/2.21.0"

Doron

[grossmj]

I understand your concerns however the crash report information sent does not contain any sensitive data. Only data like the Python version, the local, the OS version etc. is sent along with a traceback.

The crash report is generated here in our code https://github.com/GNS3/gns3-server/blob/2.1/gns3server/crash_report.py#L96

And this is what we can see on our side, only GNS3 developers have access to it.

Also, crash report can be deactivated if you put report_errors = False in the gns3_server.conf or by deselecting "Send anonymous crash reports" in the GUI preferences.

In the end, I think we should ask a question, at install time or the first time the application is launch, to ask if users want to participate in this.